The simple fact is that cyber criminals today want information that they can use to make money. We recently published the Trustwave 2012 Global Security Report and revealed trends, attack methods and findings from the hundreds of investigations we performed of data breaches at organizations around the world. We found that nearly 90 percent of attacks were designed to steal customer information including cardholder data, e-mail addresses and account information.

Every day, criminals find new ways to breach systems and steal that information. Some of the attacks are targeted, extremely technical and stealthy in nature. However, many attacks simply take advantage of poor security practices like using an easily guessable password for protecting critical business systems. Or, in the case of many restaurants and franchise businesses, unsecure and public WiFi networks are conveniently (for the criminal) connected to point of sale systems. Would you like some credit-card information with your coffee?

In 2011, Trustwave SpiderLabs conducted 42 percent more data breach investigations than in the previous year. More than 85 percent of these data breaches occurred in the food and beverage, retail and hospitality industries.

Why the focus on these industries? There are several reasons, but the number one is that they all process credit cards. In our investigations, we found that the vast majority of assets targeted by criminals were point-of-sale software systems (75 percent of cases). Think of the scenario of a hotel that maintains a restaurant, a spa, as well as other services all connected to one POS system. If a criminal can breach a system in the restaurant, they also have access to the front desk, the spa and any other connected system. The risk is even greater when hotels are part of a hotel chain with interconnected systems. We’ve investigated cases where the criminal breaches the environment at one location and was in turn able to connect todozens of others through the wide area network used by the hotel chain.

Franchise businesses are particularly at risk primarily because franchises tend to have the same POS system duplicated at all locations. If a cybercriminal can figure out a way to breach one, in all likelihood, they can replicate the attack at other locations. Another issue we found in our investigations is that franchises tend to have low security measures in place. Most of the time these business don’t have trained security professionals on staff; instead most assume their IT personnel are taking care of all of their security needs. We’ve found that to be rarely the case. In fact, in our 2011 investigations, 76 percent of environments we investigated had a third party introduce a security flaw within the environment that contributed to criminals being able to compromise data.

Another alarming trend we found in our investigations was that self-detection of breaches decreased in 2011, and only 16 percent of victimized organizations actually detected the breach themselves. Even worse, the analysis found that attackers had an average of 173.5 days within the victim’s environment before detection occurred. This means that customer data could have been flowing out of the business for months and into the hands of criminals.

What can businesses do to protect themselves?

There are a number of areas that we recommend businesses focus on to shore up their security. The best intrusion detection systems are neither security experts nor expensive technology, but employees. Security awareness and education for employees is the first line of defense. Very often businesses ignore that fact that while their employees might not be security experts, they can tell when something has changed on a systems they use on a daily basis. We had such a case last year, where a cashier at a retail chain noticed the POS screen looked differently than it had the day before. There were a few additional applications open that they did not recognize. The cashier reported it to the company’s security hotline and sure enough there was a cybercriminal on the system.

It’s critical that organizations get a complete inventory or registry of valid assets in their environment to provide the insight needed to identify malicious activity. When working with third parties, always build in security requirements into the contract and impose policies and procedures such as good password policies to ensure tight control and better security.

Finally, since we know that the majority of businesses don’t detect the fact that they have been breached and are usually alerted about a breach by a bank or law enforcement long after the criminals have been pumping information out of the organization, its critical to have ongoing assessments and event analysis. The quicker an organization can identify an issue and respond to a breach, the less likely they will experience the deep penalties, both financial and to their brand.